FIREEYE APP FOR SPLUNK ENTERPRISE 6.X: Configuration ...
-
Upload
nguyennguyet -
Category
Documents
-
view
236 -
download
0
Transcript of FIREEYE APP FOR SPLUNK ENTERPRISE 6.X: Configuration ...
SECURITY REIMAGINED
Configuration Guide Version 1.3
FIREEYE APP FOR SPLUNK ENTERPRISE 6.X
S P E C I A L R E P O R T
2
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
CONTENTS
Welcome 3
Supported FireEye Event Formats 3
Original Build Environment 4
Possible Dashboard Configurations 4
Installing the FireEye App for Splunk Enterprise 7
Manual Installation Procedures 7
Configuring the FireEye App for Splunk Enterprise 8
Configuring Splunk 9
SYSLOG - TCP & UDP 9
HTTPS via Splunk RESTful API 11
Splunk User 13
Configuring FireEye (NX, EX, AX, FX) 14
Explanation of protocols 14
CEF over SYSLOG (TCP) 15
JSON over HTTPS 16
Optional Indexing 18
Integrating FireEye PX 19
Integrating FireEye HX 21
Integrating FireEye Threat Analytics Platform (TAP) 23
How it works 23
Requirements 23
Configuring the FireEye TAP API 24
Troubleshooting 30
Using Curl 30
Splunk Search 31
About the Author 32
Special Thanks 32
About FireEye, Inc. 32
3
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
WelcomeThis document provides instructions on installing the FireEye App for Splunk Enterprise and configuring the devices to communicate.
Supported FireEye Event Formats
Explanation of protocols
Easiest to configure
# Protocol Enc Reason
1 SYSLOG - TCP CEF No TCP does not require command-line configuration on FireEye Appliance
2 SYSLOG - UDP CEF No Provides more data than CSV
3 SYSLOG - TCP CSV No TCP does not require command-line configuration on FireEye Appliance
4 SYSLOG - UDP CSV No JSON provides more data than CEF and CSV
Requires more effort to configure
# Protocol Enc Reason
1 SYSLOG - TCP XML No TCP does not require command-line configuration on FireEye Appliance
2 SYSLOG - UDP XML No XML provides more data than CEF and CSV
3 SYSLOG - TCP JSON No TCP does not require command-line configuration on FireEye Appliance
4 SYSLOG - UDP JSON No Last resort - May not send protocol field
Most effort to configure
# Protocol Enc Reason
1 HTTPS JSON Yes Encrypted, lighter than XML
2 HTTPS XML Yes Encrypted
General notes
■■ When sending JSON or XML to EX, use concise alerting■■ For everything else, use normal alerting■■ Try the easiest to configure first. Then progress to most effort if necessary.
Warning
Preference is to use TCP, but if UDP is necessary -- set FireEye UDP syslog to max chunk-size of 4096:
ssh admin@<FireEyeBox> en conf t
fenotify rsyslog trap-sink <splunk_connector> chunk-size 4096
4
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Original Build Environment■■ Linux base OS■■ Splunk 6.X - Non-distributed environment
Possible Dashboard Configurations■■ Analytics: User-provided content. Feel free to contribute favorite dashboards via the feedback link within the app.■■ Visualization: Intended as a heads-up display for a NOC/SOC. GeoIP, trends, and charts.■■ Analysis: Analyst dashboard contains more detailed event data■■ Comprehensive: All panels displayed on one screen--Visualization + Comprehensive■■ Toolbox: Useful tools for investigators that include third-party lookups
Screenshots
The screenshots below provide default dashboards included in the FireEye App for Splunk Enterprise.
Figure 1: Analytics Dashboard
5
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Figure 2: FireEye NX Visualization
Figure 3: FireEye NX Analysis
6
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Figure 4: FireEye EX Visualization
Figure 5: FireEye EX Analysis
7
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Installing the FireEye App for Splunk EnterpriseUse the App Manager within Splunk or follow the manual installation instructions below:
Manual Installation Procedures1. Download the .spl or .tgz file.
2. Navigate to “Apps” -> “Manage Apps”.
3. Click on “Install app from file”.
4. Upload the downloaded file using the form provided.
5. Restart if the app requires it.
$SPLUNK_HOME/bin/splunk restart
Upon successful installation, the following screen will be present:
Figure 6: Successful Installation Message
8
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Configuring the FireEye App for Splunk EnterpriseFireEye realizes that every customer may not own the entire suite of appliances, thus the FireEye app allows the user to customize their menu options to only contain the necessary appliances. This can be done by performing the following actions:
1. Log into Splunk using an Administrator account
2. We have made it easy to setup and change the menus by going to Help -> Configure App
Figure 7: Help menu shows option to configure the application
3. In the next screen, users can enable certain FireEye products and optionally Daily Reports
Figure 8: FireEye App for Splunk Enterprise configuration screen
4. Restart Splunk when the following message appears: “Successfully updated FireEye_v3” in the top left hand corner of the screen.
$SPLUNK_HOME/bin/splunk restart
9
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Configuring SplunkThere are many options for configuring Splunk, but the main options are listed below. You choice will depend on the constraints in your environment.
Explanation of Protocols:
# Protocol Enc Reason
1 SYSLOG - TCP No Easier to send large amounts of data than UDP
2 SYSLOG - UDP No Last resort - requires shell configuration of FireEye devices
3 HTTPS via Splunk RESTful API
Yes Encrypted, flexible sending large amounts of data
SYSLOG - TCP & UDPThe steps below should assist in the setup. The instructions below show TCP, but can easily be changed if UDP is required.
Creating Connectors
Now that we have Splunk ready to go, we have to create the connection between the FireEye and Splunk devices. This involves creating a Splunk listener and configuring the FireEye device to send the data.
Splunk Listener
The Splunk listener needs to be configured so it can receive data from other devices. Perform the following steps to create the listener:
■■ Again, log into the Splunk web UI with an admin account■■ Click “Settings -> Data inputs -> Add data button”■■ Click “From a TCP port”■■ Enter “514” for the port■■ Set Source Type: From list■■ Select source type from list: syslog■■ Click the “Save” button■■ Click the “Back to home” link
Both FireEye and Splunk allow syslog over TCP. Using TCP, there are fewer concerns with data that is too large for SYSLOG—thus it is recommended.
10
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Figure 9: Adding a data connector in Splunk
Figure 10: Adding a data connector in Splunk
11
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
HTTPS via Splunk RESTful APIThe steps below should assist in the setup.
Splunk Listener
A default installation of Splunk 6.0 or later should automatically be listening via the RESTful API on port 8089. However, this can be verified by navigating to this API using a standard web browser: https://<SplunkBox>:8089
Figure 11: Splunk RESTful API is available on the default port 8089
12
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
If for whatever reason, you are not able to connect to this port, you can verify the service and port number using the following steps:
Using a web browser, log in to the web interface: http://<SplunkBox>:8000
■■ Username: <admin account>■■ Password: <password>
Set up the Splunk listener:
■■ Click the “Settings” hyperlink in the top right hand corner of Splunk■■ Under “System”, click “System settings”■■ Click “General Settings”■■ Note the value in the “Management port” field
Figure 12: The port that Splunk uses for its RESTful API
Splunk Role
We now want to create a user in Splunk that will be used for passing the RESTful API data. However, there is currently no predefined Splunk role that can perform the job while adhering to the principle of least privilege. We could just assign our new user the “admin” role, but this would create a more severe situation should this account ever become compromised.
The following instructions will create a Splunk role that has only the ability to accept data via the RESTful API:
■■ Log into the Splunk web UI with an admin account■■ Click “Settings -> Users and authentication -> Access controls”■■ Click “Roles” -> Click the “New” button■■ Role Name: RESTfulAPI■■ Capabilities: edit_tcp
13
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Splunk UserNow that we have created a secure role, we need to create an account that will be used for authentication to post our event data.
Note:
■■ Make sure the account name is alphanumeric only (no whitespaces)■■ Make sure password is 17 characters or less
• Example username: fireeye■■ Again, log into the Splunk web UI with an admin account■■ Click “Settings -> Users and authentication -> Access controls”■■ Click “Users” -> Click the “New” button■■ Fill in the required data■■ Privilege Note: Remember to use our newly created restfulapi role■■ Click the “Save” button
Figure 13: Creating the Splunk admin account that will accept our HTTP POST messages.
14
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Configuring FireEye (NX, EX, AX, FX)There are many options for installation, but the most reliable options are listed below in order of preference. You choice will depend on the constraints in your environment.
Explanation of protocolsEasiest to configure
# Protocol Enc Reason
1 SYSLOG - TCP CEF No TCP does not require command-line configuration on FireEye Appliance
2 SYSLOG - UDP CEF No Provides more data than CSV
3 SYSLOG - TCP CSV No TCP does not require command-line configuration on FireEye Appliance
4 SYSLOG - UDP CSV No Last resort - May not send protocol field
Requires more effort to configure
# Protocol Enc Reason
1 SYSLOG - TCP XML No TCP does not require command-line configuration on FireEye Appliance
2 SYSLOG - UDP XML No XML provides more data than CEF and CSV
3 SYSLOG - TCP JSON No TCP does not require command-line configuration on FireEye Appliance
4 SYSLOG - UDP JSON No JSON provides more data than CEF and CSV
Most effort to configure
# Protocol Enc Reason
1 HTTPS JSON Yes Encrypted, lighter than XML
2 HTTPS XML Yes Encrypted
General notes
■■ When sending JSON or XML to EX, use concise alerting■■ For everything else, use normal alerting■■ Try the easiest to configure first. Then progress to most effort if necessary.
Warning:
Preference is to use TCP, but if UDP is necessary -- set FireEye UDP syslog to max chunk-size of 4096:
ssh admin@<FireEyeBox>
en
conf t
fenotify rsyslog trap-sink <splunk_connector> chunk-size 4096
Two examples are provided below, First for SYSLOG and Second for HTTPS.
15
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
CEF over SYSLOG (TCP)The first option we will show is how to configure the FireEye device to send CEF over SYSLOG. We understand that sending data via HTTPS may not work for everyone.
Complete the following steps to send data to Splunk using CEF over SYSLOG (TCP):
■■ Log into the FireEye appliance with an administrator account■■ Click Settings■■ Click Notifications■■ Click rsyslog■■ Check the “Event type” check box■■ Next to the “Add Rsyslog Server” button, type “Splunk_CEF_SYSLOG”.■■ Then click the “Add Rsyslog Server” button.■■ Enter the IP address of the Splunk server in the “IP Address” field.
Make sure rsyslog settings are:
■■ Format: XML concise for EX, XML normal for everything else■■ Delivery: Per event■■ Send as: Alert■■ Change the protocol dropdown to TCP (or use the special max chunk-size for UDP to 4096)
Remember to click the “Update” button when finished.
Figure 14: Steps to set up SYSLOG
16
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
JSON over HTTPSThe second option we will show is how to configure the FireEye device to send JSON over HTTPS. HTTPS can be a good option if you are required or prefer to send data over an encrypted channel.
Complete the following steps to send data to Splunk using extended JSON via HTTPS Post:
■■ Log into the FireEye appliance with an administrator account■■ Click “Settings”■■ Click “Notifications”■■ Click the “http” hyperlink■■ Under the http hyperlink, make sure the “Event type” check box is selected■■ HTTP settings should be:■■ Default delivery: Per event■■ Default provider: Generic■■ Default format: JSON concise for EX, JSON normal for everything else■■ Click the “Apply Settings” button
Next to the “Add HTTP Server” button, type “SplunkHTTPS”. Then click the “Add HTTP Server” button.
Next to the newly created SplunkHTTPS entry:Select “Enabled”, “Auth”, and “SSL Enable” check boxes.
Enter the following settings:
■■ Server URL: https://<SplunkAD.DR.ESS>:<PORT>/services/receivers/simple?host=<FireEyeA ddress>&source=fe_alert&sourcetype=fe_json
■■ Username: fireeye (or username you created in Splunk)■■ Password: <password you created above in Splunk>
Note: The default port used above is 8089--unless it has been changed.
Ex: https://192.168.33.152:8089/services/receivers/simple?host=192.168.33.131&source=fe_ alert&sourcetype=fe_json
Remember to click the “Update” button when finished.
17
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Figure 15: Steps to configure the FireEye appliance to send data to Splunk
18
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Optional IndexingNote: Separate indexing may not work in all environments--such as complex distributed Splunk indexing and searching.
Upon installation, the FireEye App for Splunk Enterprise stores all alert data in Splunk’s default index called “main”. Depending on the size of the deployment and the amount of data already stored in the main Index, this could cause a significant performance issue. You have the option to store this data in its own index to improve search performance, however at the current time this change is unsupported. That said, some clients have reported significant improvements in search time when using a separate index. One real-world example is shown below along with the required modification to enable separate indexing:
Customer Results: Year to date search takes 9 minutes 15 seconds to populate the main dashboard from the main index. After the change to a separate index, it was reduced to 20 seconds.
Steps:
Remember to first create the index:Settings -> Data -> Indexes -> New -> Index name: fireeye -> Save
Out of the box configuration: eventtypes.conf is:
[fe]
search = sourcetype=fe_* OR sourcetype=hx_*
Modified configuration to support separate “fireeye” index: Change eventtypes.conf to:
[fe]
search = index=fireeye sourcetype=fe_* OR sourcetype=hx_*
Props.conf change: Remove the red hash (#) symbol below
# Uncomment the next line to send FireEye data to a separate index called "fireeye"
#TRANSFORMS-updateFireEyeIndex = fix_FireEye_CEF_in, fix_FireEye_CSV_in, fix_
FireEye_XML_in, fix_FireEye_JSON_st, fix_HX_CEF_in, fix_HX2_CEF_in
Note: If the infex is not going to be called fireeye, then transforms.conf needs to be modified.
Change RESTful string in the FireEye appliance: https://xx.xx.xx.xx:8089/services/receivers/simple?host=xx.xx.xx. xx&source=fe_alert&index=fireeye&sourcetype=fe_json
(Special thanks to Richard Griffith for the research and solution.)
19
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Integrating FireEye PXFollow the steps below to integrate FireEye PX with the FireEye App for Splunk Enterprise.
1. Run the setup within the app (Help -> Setup) and select the appliances
2. Add your PX appliance IP addresses in the following file: $SPLUNK_HOME/etc/apps/FireEye_v3/lookups/px_appliances.csv
Original config:
system
<Configure me>
<Read the config guide>
After you are done (assuming your PX appliance is 192.168.5.100):
system
192.168.5.100
If the setup file is configured with the PX check box checked, a PX Pivoting menu will be available in the drop down. If the px_appliances.csv file is not configured, then <Configure me> will appear in the PX appliance drop down. If it is configured, the IP of the appliance will be in the drop down.
Figure 16: Error message displayed when the PX is not configured
20
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Once set up, the dashboard can be used to pivot based on any of the following data (as shown in the screenshot below):
■■ Time■■ Source IP■■ Source Port■■ Destination IP■■ Destination Port■■ Source and Destination IP■■ Source and Destination IP and Destination Port■■ Source and Destination IP and Source and Destination Port
Figure 17: Fields that can be used to pivot
21
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Integrating FireEye HXFollow the steps below to integrate FireEye HX with the FireEye App for Splunk Enterprise.
1. Ensure that HX is selected as an option in the FireEye app under Help -> Configure App. (For more details, please see the section called:
“Configuring the FireEye App for Splunk Enterprise”)
2. Log into FireEye with an Administrator account
3. Navigate to FireEye -> Administration
Figure 18: Administration menu in HX
4. Click the drop down and then Logging
Figure 19: Logging option
5. Enter the Splunk server IP, Port, and Select TCP as the protocol. Then click the Save button.
22
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Figure 20: Entering syslog information
23
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Integrating FireEye Threat Analytics Platform (TAP)This section will outline how to integrate FireEye TAP into the FireEye App for Splunk Enterprise.
How it worksThe diagram below is designed to show one possible use case. It also helps to illustrate data flow options between Splunk and FireEye products.
Figure 21: One possible use case for TAP / Splunk integration
Requirements■■ FireEye TAP is setup and receiving proper logs to generate events■■ Third party Splunk App - Rest API Module Input (Big thanks to: Damien Dallimore)
• https://apps.splunk.com/app/1546/
24
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Configuring the FireEye TAP APIThe instructions below will outline how to configure the TAP API.
Create an API key
1. Log into the Threat Analytics Platform
2. Go to User settings by clicking the drop down arrow in the top right hand corner and then selecting “USER SETTINGS”
3. Select Applications and click “ADD NEW API KEY”
4. Name the API key. Ex: Splunk API key
5. Save the API key in a secure place -- It will not be displayed again.
Figure 22: API key provided
Figure 20: Generating an API key for TAP
25
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Discover the TAP Instance ID
The requirements for this step are the following:
1. URL of the TAP instance
2. API key from previous step
Using curl execute the following one-liner to retrieve the TAP Instance ID
Syntax:
curl -H "x-mansfield-key:INSERT_KEY_HERE" https://INSERT_URL_HERE/tap/ api/v1/users/instance
Example:
curl -H "x-mansfield-key:eb5123456789" https://yours.fireeyeapps.com/ tap/api/v1/users/instance
Expected response:
[{"id":"1234-123-123-123-123456789","name":"demo06","active":true}]
Be sure to copy down the TAP instance id that was returned from your query.
Now you have three pieces of vital information:
■■ URL of the TAP instance■■ API key from previous step■■ TAP instance ID
26
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Install the Splunk Rest API Module Input
Use the App Manager within Splunk to search for “Rest API Module Input”
Figure 22: Installing Splunk REST API module Input
Or follow the manual installation instructions below:
1. Download the .spl or .tgz file from: https://apps.splunk.com/app/1546/
2. Navigate to “Apps” -> “Manage Apps”.
3. Click on “Install app from file”.
4. Upload the downloaded file using the form provided.
5. Restart if the app requires it: $SPLUNK_HOME/bin/splunk restart splunk
27
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
Configure the Splunk Rest API Module Input
1. 1. Add the following custom handlers:
$SPLUNK_HOME/etc/apps/rest_ta/bin/responsehandlers.py
class FireEyeAlertHandler:
def init (self,**args): pass
def call (self, response_object,raw_response_output,response_ type,req_args,endpoint):
if response_type == "json":
output = json.loads(response_object.content) last_display_id = -1
for alert in output["alerts"]: print_xml_stream(json.dumps(alert)) if "displayId" in alert:
display_id = alert["displayId"] if display_id > last_display_id:
last_display_id = display_id if not "params" in req_args:
req_args["params"] = {}
if last_display_id > -1: req_args["params"]["offset"] = last_display_id
else:
print_xml_stream(raw_response_output)
class FireEyeIncidentHandler:
def init (self,**args): pass
def call (self, response_object,raw_response_output,response_ type,req_args,endpoint):
if response_type == "json":
output = json.loads(response_object.content) last_display_id = -1
for incident in output["incidents"]:
28
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
print_xml_stream(json.dumps(incident)) if "displayId" in incident:
display_id = incident["displayId"] if display_id > last_display_id:
last_display_id = display_id if not "params" in req_args:
req_args["params"] = {}
if last_display_id > -1: req_args["params"]["offset"] = last_display_id
else:
print_xml_stream(raw_response_output)
2. Within Splunk, go to Settings -> Data -> Data Inputs
3. Next to REST, click on Add new
Figure 23: Configuring the RESTful query options
29
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
4. To set up TAP alerts, fill in the following data fields and click the save button
a. REST API Input Name: TAP-Alertsb. Endpoint URL: https://INSERT_URL_HERE/tap/api/v1/alertsc. HTTP Method: GETd. Authentication Type: Nonee. HTTP Header Properties: x-mansfield-key=INSERT_KEY_HERE,X-FireEye-Tap-Instance=INSERT_TAP_ID_HEREf. URL Arguments: offset=0g. Response type: jsonh. Response Handler: FireEyeAlertHandleri. Polling Interval: 30j. Set Sourcetype: “Manual”k. Select source type from list: fe_tap_json
5. To set up TAP incidents, fill in the following data fields and click the save button
a. REST API Input Name: TAP-Incidentsb. Endpoint URL: https://INSERT_URL_HERE/tap/api/v1/incidentsc. HTTP Method: GETd. Authentication Type: Nonee. HTTP Header Properties: x-mansfield-key=INSERT_KEY_HERE,X-FireEye-Tap-Instance=INSERT_TAP_ID_HEREf. URL Arguments: offset=0g. Response type: jsonh. Response Handler: FireEyeIncidentHandleri. Polling Interval: 30j. Set Sourcetype: “Manual”k. Select source type from list: fe_tap_json
6. Upon saving, Splunk should attempt a query, thus if there are TAP events, they will show up in the FireEye App for Splunk Enterprise under Visualization -> Tap Visualization and Analysis -> Tap Analysis
Figure 24: TAP visualization
30
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
TroubleshootingThere are many methods that can be used to troubleshoot connection issues.
Using CurlUsing any Linux host, or Cygwin on Windows perform the following:
Step 1) echo test > test.xmlStep 2) curl -k -g --user <username>:<password> --data-binary @test.xml
Example:
curl -k -g --user fireeye:1qaz@WSX --data-binary @oneline.txt “https://192.168.33.152:8089/services/receivers/simple?host=1 92.168.33.153&source=fe_alert&sourcetype=fe_xml”
Result:
You should see something similar to the following response from Splunk after issuing the command above:
<?xml version=”1.0” encoding=”UTF-8”?>
<response>
<results>
<result>
<field k=”_index”>
<value>
<text>default</text>
</value>
</field>
<field k=”bytes”>
<value>
<text>4</text>
</value>
</field>
<field k=”host”>
<value>
<text>Source IP Address here</text>
</value>
</field>
<field k=”source”>
<value>
31
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
<text>fe_alert</text>
</value>
</field>
<field k=”sourcetype”>
<value>
<text>fe_xml</text>
</value>
</field>
</result>
</results>
</response>
Splunk SearchAfter the data is successfully sent to Splunk, you should be able to search for it using the following search term: source=fe_alert
You should see “test” as the message body because it was in the body of test.xml
32
Configuration Guide Version 1.3FireEye APP for Splunk Enterprise 6.X
About the Author Tony Lee has more than ten years of professional experience pursuing his passion in all areas of information
security. He is currently a Technical Director at Mandiant, a FireEye Company, advancing many of the network
penetration testing service lines. His interests of late are kiosk hacking, post exploitation tactics, and malware
research. As an avid educator, Tony has instructed thousands of students at many venues worldwide, including
government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to
share knowledge as a contributing author to Hacking Exposed 7, frequent blogger, and a lead instructor for a
series of classes. He holds a Bachelor of Science degree in computer engineering from Virginia Polytechnic
Institute and State University and a Master of Science degree in security informatics from The Johns Hopkins University.
Email: Tony.Lee -at-FireEye.com
Linked-in: http://www.linkedin.com/in/tonyleevt
Special ThanksDennis Hanzlik
Dan Dumond
Ian Ahl
Dave Pany
Karen Kukoda
Leianne Lamb
Brian Stoner
Gunpreet Singh
Kate Scott
About FireEye, Inc. FireEye protects the most valuable assets in the world from those who have them in their sights. Our combination of technology,
intelligence, and expertise — reinforced with the most aggressive incident response team — helps eliminate the impact of security
breaches. We find and stop attackers at every stage of an incursion. With FireEye, you’ll detect attacks as they happen. You’ll
understand the risk these attacks pose to your most valued assets. And you’ll have the resources to quickly respond and resolve
security incidents. FireEye has over 3,100 customers across 67 countries, including over 200 of the Fortune 500.
To learn more about
how FireEye can help you focus
on the alerts that matter,
visit: www.fireeye.com
© 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. ???????????
FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | [email protected] | www.fireeye.com